This invention relates to a management computer for managing a network and, more particularly, to a management computer that sets a client authentication technique in a switch constituting a network.
Ensuring network security is important in building a network today, particularly a company network. Many companies therefore introduce to their networks a router or switch (hereinafter collectively referred to as switch) with a client authentication function for verifying whether or not a user terminal (hereinafter referred to as client) has the right to connect to the network. The switch with a client authentication function does not allow a client that is not authorized to access the network to connect to the network, and sequesters this client to a separate network.
The switch with a client authentication function uses client identifiers which are registered in the switch in advance in verifying whether or not a client connected to the switch has the right to connect to the network. The switch with a client authentication function may verify whether or not a client has the right to connect to the network by judging whether or not a part of an electronic certificate sent from the client matches a part of an electronic dictionary stored in the switch in advance.
Client authentication is constituted of an authentication process and a permission process. The authentication process is a process of identifying a client that is connected to the switch and verifying whether or not the identified client has the right to connect to the network. The permission process is a process of allowing a successfully authenticated client to communicate with other clients in the network.
A system defined by IEEE 802.1X is known as a typical client authentication system. This client authentication system has a switch serving as an access point at which a client connects to a network and an authentication server for authenticating the client.
In client authentication according to IEEE 802.1X, the switch receives from a client a request to connect to a network and forwards the connection request to a remote authentical dial-in user service (RADIUS) server, which is an authentication server. Receiving the connection request, the RADIUS server performs authentication to verify whether or not the client has the right to connect to the network, and sends the result of the authentication to the switch. The switch receives the authentication result and, in response to the received authentication result, determines whether to relay a frame sent from the client.
Also known are a dynamic virtual local area network (VLAN) and other similar technologies that use IEEE 802.1X client authentication to execute simultaneously processing of authenticating a client and processing of adding the client to a corresponding VLAN.
Specifically, the switch forwards, to the RADIUS server of the authentication server, a request sent from a client to connect to a network. Receiving the connection request, the RADIUS server performs authentication to verify whether or not the client has the right to connect to the network, and determines to which VLAN the client belongs. The RADIUS server then incorporates the identifier of the VLAN to which the client belongs in the result of the authentication, and sends the authentication result to the switch. The switch receives the authentication result and, in response to the VLAN identifier contained in the authentication result, allocates the VLAN to which the client belongs to a port that is connected to the client.
Another technology is also known as a technology which combines the client authentication function by IEEE 802.1X with an MAC-VLAN function, which, based on the MAC addresses of multiple clients that are connected to the same port provided in a switch, adds a client to a VLAN designated in advance.
Conventional client authentication technologies, which require a person in charge of running and managing a network to set in each switch information about whether client authentication is necessary, have two problems.
One is that the necessity of setting the information in each switch increases the workload of a person in charge of running and managing a network. The other problem is that error made by a person in charge of running and managing a network in setting the information in each switch could degrade the security of the network.
The former problem will be described first.
In introducing a new client authentication function to a network that is already up and running, or in introducing a client authentication function to a newly built network, a person in charge of running and managing the network needs to update or crate a configuration for controlling switch operation for each switch that constitutes the network.
The person in charge of running and managing the network also needs to check whether the updated or generated configuration is consistent with the configuration prior to the update or the creation, and whether the configuration of one switch is consistent with the configuration of another switch.
Networks are increasing in scale and complexity as more and more business and other activities are now conducted over network. The increase in network scale and complexity is accompanied by an increase in number of switches per network.
A person in charge of running and managing a network therefore has to perform the task of checking configuration consistency between switches on that much more switches, which increases the workload of the person in charge of running and managing a network.
The latter problem will be described next.
Client authentication is a technology for allowing only a client that has the right to connect to a network to access the network. Network security is thus ensured. Error made by a person in charge of running and managing a network in setting a switch configuration can therefore degrade the network security.
For instance, the security of a network is degraded if a person in charge of running and managing the network erroneously sets a configuration such that client authentication is not executed at a port where client authentication should be executed.
Network security can also be degraded when a person in charge of running and managing a network forgets to include, in a configuration, client authentication that should be executed in one of switches or one of ports. A specific example of such cases is when a person in charge of running and managing a network forgets to apply a switch configuration to a switch.
In conventional client authentication technologies where whether or not client authentication is executed at a port provided in a switch is set manually, wrong settings and skipped settings due to human factor are unavoidable. Conventional client authentication technologies therefore have a possibility of degrading network security. The possibility of degrading network security can be reduced only through more diligent checking by a person in charge of running and managing a network.